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(54) Computer control data modification system 

(57) A data piT)cessing system has an erasable programmable read-only memory (EPROM) 22 for holding firmware, and an 
electrically-erasable programmable read-only memory (EEPROM) 23 for holding patch information specifying modifications 
to be made to the firmware, in operation, code is copied from the EPROM into a random-access memory (RAM) 21 and is 
then patched using the information in the EEPROM. The EEPROM can be accessed by a remote computer. 18, to write 
new patches into rt. The EEPROM has separate areas for holding new and trusted patches. In operation, an attempt is 
made to modify the code using the new patches. If this is successful, the new patch area becomes the trusted patch area. 
Otherwise, the system reverts to the existing trusted patches, if any. 21 23 
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At least one drawing originally filed was inlormal and the print reproduced here is taken from a later filed forma! copy. 



o 

TO 

ro 
on 

CO 



Fig. 1. 



V3 



.21 



REMOTE 
COMPUTER 



17 



18 



11 



13 ^^-v 

\ 20 



COMMS. 
BOARD 



RAM 



PROM 



PROCESSOR 



19 



EEPROM 



EPROM 



■15 



22 



BUS 



12 



f 



NODE SUPPORT 
COMPUTER (NSC) 



16- 



S 



MISCELLANEOUS 
- BOARD 



10 



Fig. 5. 

5-1 



PROCESSING 
NODE 



^PATCHED ?^ ^^ 



5-2 



^ STATUS =2 ?^ 



NO 



5-3- 





YES 


UPDATE PAT( 
PATCH SI 


:h selector 

rATUS:=0 



-1 



5 



CHECK 
EEPROM STATUS 



COPY PATCH 
TO RAM 




CHECK PATCH 
CONTROL AREA 



VALID 



Fig. 2. 



> 



INVALID 



PATCH STATUS :=0 



.2-4 



PATCH SELECT ^=0 
PATCH STATUS :=0 



6- 
7- 

8- 



WRITE PATCH FROM 
RAM TO EEPROM 
- AND C HECK 



PATCH STATUS ==1 



CHECK PATCH 
CONTROL AREA 



F/g. 3. 



3-1 



3-2- 



3-3- 



3-4- 



POWER- UP OR RESET 



ESTABLISHMENT TEST 



ROM-TO-RAM LOADER 



BASE 



INITIAL APPLICATION 



4-1 



4-2- 



4-3' 



0 



CLEAR RAM 
AND TEST 



LOAD BASE AND 
INITIAL APPLICATION 
FROM EPROM TO RAM 



COPY EEPROM TO RAM 
AND CHECK 



PATCH STATUS ? 



4-10 



,FAIL 



KVALII 
NEW I 

VALID 



> 



VALIDATE 
NEW PATCH 



STATUS :=3 



YES 



5 




4-11 



STATUS :=2 



4-5 



4-12 



PATCH SELECTOR 



4-6 




NO 



7^ 



VALIDATE PATCH 
IN RAM 



> 



VALID 



FAIL 



LOG ERROR 



4-9- 



4- 



APPLY PATCH 



. UPDATE 
PATCH STATUS 



C.113 



DATA PROCESSING SYSTEM 

Background to the invention 

This invention relates to data processing 
systems. More specifically, the invention is concerned 
with a data processing system including a data processor 
and a read-only memory (ROM) for holding control 
information for the processor. The control information 
may comprise/ for example, firmware or other programs 
for controlling the operation of the processor. 

In such a system, it may be necessary from time 
to time to update or correct the control information 
held in the ROM. One way of doing this is physically to 
replace the whole ROM with a new ROM. suitably 
programmed with the updated or corrected version of the 
control information. However, this is expensive and 
inconvenient, especially where a large ROM is involved. 
Also, in order to replace a ROM, it is usually necessary 
for skilled personnel to visit the user's site at which 
the system is located. 

United States Patent No. 4 751 703 proposes a 
method of modifying programs held in a ROM without the 
necessity for physically replacing the ROM. The program 
code is divided into blocks, the first instruction of 
each block being held in a special read/write memory 
(RAM) while the remaining instructions are held in the 
ROM. A block of code can be patched by replacing the 
first instruction of that block by a jump to a 
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replacement block. ThuS/ the program in the ROM can 
effectively be modified by modifying the information 
held in the RAM. 

However, a problem with the above method is 
that it requires a virtual addressing scheme for 
addressing the code, since the first instruction of each 
block is physically separate from the rest of the 
block. Moreover r the above method only allows the code 
to be modified by replacing the code on a block-by-block 
basis. 

The object of the present invention is to 
provide a way of updating or modifying information held 
in a ROM without the necessity for physical replacement 
of the ROM, while avoiding the problems mentioned above. 
Summary of the invention 

According* to the invention there is provided a 
data processing system comprising: 

(a) a data processor 

(b) a read-only memory for holding control inform- 
ation for the data processor, 

(c) a read/write random access memory, 

(d) a further memory for holding modification 
information defining modifications to be 
applied to the control information, 

(e) means for copying the control information from 
the read-only memory into the random-access 
memory, and 

(f) means for using the modification information in 
the further memory to modify the copy of the 
control information in the random-'access 
memory. 

One data processing system in accordance with the 
present invention will now be described by way of 
example with reference to the accompanying drawings. 
Brief description of the drawings 

Figure 1 is a block diagram of a data 
processing system embodying the invention, the system 
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including a node support computer (NSC) . 

Figure 2 is a flow chart showing actions 
performed by a remote computer to write patch 
information into the NSC. 

Figure 3 is a flow chart showing operation of 
the NSC when it is powered up or reset. 

Figure 4 is a flow chart showing a ROM-to-RAM 
loader program executed by the NSC. 

Figure 5 is a flow chart showing part of an 
Initial Application program executed by the NSC. 
Description of an embodiment of the invention 

Referring to Figure 1, the data processing 
system comprises a main computer, referred to as a 
processing node 10, and a subsidiary computer referred 
to as a node support computer (NSC) 11. The purpose of 
the NSC is to assist with initial program load of the 
processing node, and to provide various diagnostic and 
monitoring facilities for the processing node. The 
structure of the processing node 10 forms no part of the 
present invention and so will not be described herein. 

The NSC comprises an internal bus 12, which 
interconnects a communications board 13, a processor 
board 14, a ROM board 15, and a miscellaneous board 16. 

The communications board 13 connects the NSC by 
way of a communications link 17 (e.g. a telephone line) 
to a remote computer 18. This allows the remote 
computer to perform diagnostic operations on the system 
and also, as will be described, to load patch 
information into the NSC, 

The processor board 14 includes a conventional 
microprocessor 19, a 16Kbyte programmable read-only 
memory (PROM) 20, and a 1Mbyte dynamic random-access 
memory (RAM) 21. In operation, the microprocessor 
executes programs held either in the PROM 20 or in the 
RAM 21. 

The ROM board 15 comprises a 2Mbyte erasable 
programmable read-only memory (EPROM) 22 and a 16Kbyte 
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electrically erasable programmable read-only memory 
(EEPROM) 23. The EPROM holds programs (firmware) which 
in operation are loaded into the RAM on the processor 
boardr for execution by the processor, as well as 
programs for the processing node 10. The EEPROM holds 
patch information indicating modifications to be made to 
the programs loaded into the RAM from the EPROM. The 
miscellaneous board 26 includes drive circuits -for 
coupling the NSC to the processing node 10. 
EEPROM contents 

The EEPROM contains ISKbytes which are 
addressed as segment number E800, byte offset 0000-7FFF 
(in hexadecimal notation). The contents of the EEPROM 
are as follows:- 

byte offset Contents 
0000-07CF ' reserved 
07DO-07FF control area 

0800-2FFF reserved 
3000-57FF patch area 1 

5800-7FFF patch area 2 

Patch areas 1 and 2 are used to hold patch 
information indicating modifications to be made to the 
programs loaded from the EPROM into the RAM. In 
operation, either of these two patch areas can be 
designated the "trusted" patch area, and is used to hold 
tried and tested patch information. The other of the 
areas is designated the "new" patch area, and is used to 
hold new patch information that has not yet been tried. 

The control area contains information about the 
status of the patch areas as follows 

PATCH BASE ROM ID: This indicates the identity of the 
EPROM to which the patches are to be applied. 
PATCH VALIDITY : This is set to the hexadecimal value 
lA 2B 3C 4D if the other items in the control area are 
valid . 

PATCH SELECTOR: This identifies the current "trusted" 
patch area (if any) and also, by implication, identifies 
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the "new" patch area, as follows. If PATCH SECTOR = 0, 
there is no trusted patch information available, and 
patch area 1 is designated the new patch area. If PATCH 
SECTOR = 1, then patch area 1 is the trusted patch area 
and patch area 2 is the new patch area. If PATCH 
SELECTOR = 2, then patch area 2 is the trusted patch 
area and patch area 1 is the new patch area.- 
PATCH STATUS: This indicates the status pf the new 
patch, if any. If PATCH STATUS = 0, there is no new 
patch. If PATCH STATUS = 1, a new patch is ready to be 
tried. If PATCH STATUS = 2, a new patch is currently 
being tried. If PATCH STATUS = 3, a new patch has 
failed • 

Each of the patch areas consist of a header, 
followed by a number of patch records of variable 
length. Each patch record comprises the following 
fields . 

RECORD LENGTH: this indicates the number of bytes in 
the record, inclusive of this length field. 
RAM SEGMENT ADDRESS and RAM BYTE OFFSET: these two 
fields specify the position within the RAM at which the 
patch data is to be written. 

PATCH DATA: this is the patch data which is to be 
written into the RAM to modify the programs held in the 
RAM. 



of the RAM. 

Using these patch records, a program held in 
the RAM can be modified in two different ways. 



(b) 



(a) 



Each patch record can specify either: 
a modification to an existing byte (or 
contiguous sequence of existing bytes) in 
the RAM, or 

binary data to be written into a reserved area 



(a) 



It can be modified by a straightforward 
byte-f or-byte substitution, specified by one 
or more patch records. 

Alternatively, a patch record can be used to 
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insert a new sequence of code in the reserved 
area of the RAM, while another patch record is 
used to plant a jump instruction to the start 
of the new sequence, at the appropriate 
location of the existing code. 
Transfer of patch records 

The patch records are generated by the remote 
computer 18, and are held in a patch file in that 
computer. When it is desired to update the firmware 
held in the NSC, the patch records are transferred from 
the remote computer 18, by way of the communications 
link 17, into the EEPROM in the NSC. 

The procedure for transferring the patch 
records is shown in Figure 2. 

(2-1) First, the remote computer sends a message to the 
NSC, requesting the status of the NSC. This contains, 
among other things, an indication of the status of the 
EEPROM. If the EEPROM is deemed to have failed, then an 
error message is generated, and the attempt to transfer 
the patch records is abandoned. 

(2-2) Assuming that the EEPROM has not failed, the 
remote computer then accesses the NSC ROM VERSION, i.e. 
the version number of the EPROM currently installed in 
the NSC, and checks whether there are any patch records 
available in the patch file for that ROM version. If 
there are patch records available, the remote computer 
then writes these items into the RAM in the NSC. 

The remote computer then reads the patch 
records back again, and compares them with the data that 
was written. If the comparison fails, an error message 
is generated, suggesting a possible communications 
problem, and the attempt to transfer the patch records 
is abandoned. 

(2-3) Assuming that the comparison is successful, the 
remote computer now reads the current contents of the 
patch control area from the EEPROM in the NSC, and 
checks whether it is valid. 



(2-4) If the contents of the patch control area are not 
valid, the PATCH SELECTOR field is set to 0 to indicate 
that there is no trusted patch information currently 
available in the EEPROM. The PATCH STATUS field is also 
set to 0 to indicate that there is, as yet, no new patch 
information in the EEPROM. 

(2-5) If, on the other hand, the contents of the patch 
control area are valid, it is assumed that there is 
already some trusted patch information in the patch area 
indicated by the PATCH SELECTOR field. In this case, 
only the PATCH STATUS field is set to 0. 

If, at steps 2-4 or 2-5, any of the writes to 
the control area of the EPROM fails, an error message is 
generated, indicating that the EEPROM has failed, and 
patching is abandoned. 

(2-6) The patch records are now transferred from the RAM 
into the new patch area of the EEPROM, as indicated by 
the PATCH SELECTOR field. Again, if any of the writes 
to the EEPROM fails, an error message is generated and 
patching is abandoned. 

The contents of the new patch area are then 
read back from the EEPROM and compared with the data 
that was written. If the comparison fails, an error 
message is generated, and patching is abandoned. 
(2-7) Assuming that the comparison is successful, the 
PATCH STATUS field of the control area of the EEPROM is 
set to 1 to indicate that new patch information is now 
being tried. 

(2-8) Finally, the whole of the patch control area is 
read back from the EEPROM and compared with the expected 
values. If the comparison fails, an attempt is made to 
set the PATCH VALIDITY field of the EEPROM to 0, an 
error message is output, and patching is abandoned. 
Operation of NSC 

Referring now to Figure 3, this shows the 
operation of the NSC when it is powered up or reset. 
(3-1) The first action on power-up or reset is to run an 
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establishment test program, which is resident in the 
PROM 20 on the processor board. This tests the basic 
facilities of the NSC. 

(3-2) Assuming that the establishment test is 
successful, the NSC then performs a ROM-to-RAM loader 
program, which is also resident in the PROM 20. This 
loads BASE and INITIAL APPLICATION* programs from the 
EPROM 22 into the RAM 21. It then applies the patches 
held in the EEPROM 23 to the RAM; that is, it modifies 
the programs in the RAM in accordance with the patch 
information in the EEPROM. 

(3-3) At the end of the ROM-to-RAM loader, the NSC jumps 
to the start of the BASE program, which is now held in 
the RAM, modified by any patches. This is the basic 
operating program of the NSC. 

(3-4) The BASE program calls the INITIAL APPLICATION 
program. This controls loading of firmware from the 
EPROM 22 into the processing node 10. 
ROM- to- RAM loader 

The ROM-to-RAM loader program referred to above 
will now be described in more detail with . reference to 
Figure 4. 

(4-1) The first action of the ROM-to-RAM loader is to 
clear the RAM 21 and to test it. 

(4-2) The BASE and INITIAL APPLICATION programs are then 
loaded from the EPROM 22 into the RAM. 

(4-3) The contents of the EEPROM 23 are then copied into 
a reserved area of the RAM. The copy is read back three 
times and compared with the contents of the EEPROM, to 
provide a stability check on the contents of the 
EEPROM. Also, the patch control area is checked to 
ensure that the PATCH VALIDITY -field is set, and that 
other items in the control area have valid values. 
(4-4) A branch is now made according to the value of the 
PATCH STATUS field of the patch control area. 

If the PATCH STATUS is 0, there is no new patch 
available, and if PATCH STATUS is 3, there is a new 
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patch, but it has failed for some reason. In either of 
these cases, the following actions are performed, 
(4-5) If the PATCH SELECTOR field is non-zero, there is 
a trusted patch available, which can be used. 
(4-6) The copy of the trusted patch in the RAM is 
checked to ensure that it is valid. 
(4-7) If the patch is valid, it is applied to the 
programs previously loaded into the RAM. This involves 
reading each patch record in turn from the patch area, 
and writing the patch data in that record into the RAM 
at consecutive locations, starting from the byte 
specified by the RAM SEGMENT ADDRESS and RAM BYTE OFFSET. 
(4-8) If it was found at step 4-7 above that the patch 
was invalid, an error is logged and the attempt to apply 
the patches is abandoned. 

(4-9) If the patch* status has been changed by the 
ROM-to-RAM loader, the EEPROM is accessed and the PATCH 
STATUS field is updated accordingly. 

(4-10) If it was found at step 4-4 above that PATCH 
STATUS = 2, this indicates that a new patch has been 
tried, but the programs as modified by the new patch 
failed to run successfully. In this case, the PATCH 
STATUS is changed to 3 to indicate that the new patch 
has failed. The procedure then continues from step 4-5 
as described above. 

(4-11) If it was found at step 4-4 that PATCH STATUS = 
1, this indicates that a new patch is ready to be 
tried. The copy of the new patch in the RAM is checked 
to ensure that it is valid. 

(4-12) If the new patch is valid, then PATCH STATUS is 
set to 2 to indicate that a new patch is now being 
tried. The procedure then continues from step 4-7 as 
described above, using the designated new patch area to 
patch the RAM. If, on the other hand, the new patch is 
found to be invalid, the procedure continues from step 
4-10 as described above. 
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INITIAL APPLICATION . 

As described above r after the ROM-to-RAM loader 
program, the BASE and INITIAL APPLICATION programs are 
run . 

At some convenient point in the execution of 
the INITIAL APPLICATION program, the actions shown in 
Figure 5 are performed. 

(5-1) A test is made to determine whether or not the 
program has been patched. 

(5-2) If so, the PATCH STATUS field is examined. 

(5-3) If PATCH STATUS = 2, this indicates that a new 
patch is currently being tried. Since the INITIAL 
APPLICATION program is now running successfully with the 
new patch in place, it is assumed that the new patch is 
successful. Hence, the EEPROM is accessed and the PATCH 
SELECTOR is updated, to indicate that this new patch is 
now the trusted patch, and the PATCH STATUS is set to 0 
to indicate that there is now no new patch. The program 
then continues running normally. 

If either of the write accesses to the EEPROM 
fails, the NSC is reset, so that it will restart with 
the establishment test as shown in Figure 3. 
Conclusion 

In summary, it can be seen that the above 
sequences allow patch information to be written into the 
EEPROM, and then to be applied to the programs the next 
time the NSC is reset or powered up. 

If the newly applied patch information corrupts 
the BASE or INITIAL APPLICATION programs to such an 
extent that the latter fails to get established, then at 
the next reset or power-up the new patch will be 
designated as "failed". The system will therefore 
revert to any existing trusted patches or, if there are 
no trusted patched, will proceed without any patches 
being applied . 



CLAIMS 

1. A data processing system comprising :- 

(a) a data processor, 

(b) a read-only memory for holding control 
information for the data processor, 

(c) a read/write random-access memory, 

(d) a further memory for holding modification 
information defining modifications to be 
applied to the control information, 

(e) means for copying the control information from 
the read-only memory into the random-access 
memory, and 

(f) means for using the modification information in 
the further memory to modify the copy of the 
control information in the random-access memory. 

2. A system, according to Claim 1 wherein the 
further memory is an electrically erasable programmable 
read-only memory (EEPROM) . 

3. A system according to Claim 1 or 2 wherein said 
further memory is accessible by a remote computer to 
allow the remote computer to write modification 
information into the further memory. 

4. A system according to any preceding claim 
wherein said control information comprises a program for 
controlling the operation of the data processor. 

5. A data processing system according to any 
preceding claim wherein said further memory comprises at 
least two areas, one of said areas being designated as a 
trusted area for holding modification information that 
has been successfully tried, and another of said areas 
being designated as a new area for holding modification 
information that has not yet been tried. 

6. A data processing system substantially as 
hereinbefore described with reference to the 
accompanying drawings. 

7. A method of operating a data processing system 
comprising : - 



(a) storing control information in a read-only 
memory, 

(b) storing modification information in a further 
memory, 

(c) copying the control information from the 
read-only memory into a read/write 
random-access memory, and 

(d) using the modification information in the 
further memory to modify the copy of the 
control information in the random-access memory, 

8. A method according to Claim 7, further 
comprising the steps :- 

(a) dividing the further memory into at least two 
areas , 

(b) designating one area as a trusted area for 
holding modification information that has been 
successfully tried, and 

(c) designating the other area as a new area for 
holding modification information that has not 
yet been tried. 

9. A method according to Claim 8 wherein the step 
of using the modification information comprises checking 
the information in the new area and, if the checking is 
satisfactory: 

(a) using the modification information in the new 
area to modify the control information in the 
random— access memory, 

(b) operating the data processing system using the 
modified control information, and 

(c) if the data processing system operates 
successfully using the modified control 
information, re-designating the new area as the 
trusted area. 

10. A method according to Claim 9 wherein, if the 
data processing system does not operate successfully 
using the modified control information: 

(a) the control information from the read-only 
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memory is copied again into the random-access memory, and 
(b) the modification information (if any) in the 

trusted area is used to modify the control 
information in the random--access memory. 

11. A method according to any one of claims 7 to 10 
including the step of writing modification information 
into the further memory from a remote computer by way of 
a communications link. 

12. A method of operating a data processing system 
substantially as hereinbefore described with reference 
to the accompanying drawings. 
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